Published by Security Testing and Assurance on 15 November 2023
As part of CyberCX’s commitment to securing our communities, we endeavour to work with vendors through a responsible disclosure process and advise any vulnerabilities that we identify.
A vulnerability existed in Adobe ColdFusion where an unauthenticated attacker can obtain remote code execution. Adobe ColdFusion is an application server designed to provide development and deployment of dynamic web applications with supporting back-end database systems. The remote code execution resulted from a controlled file written into the ColdFusion web directory.
There were no prerequisites for this attack other than network connectivity to a ColdFusion instance. This vulnerability was identified by Daniel Jensen of CyberCX as part of a Red Team engagement for a customer.
Full exploitation details will be released later.
This vulnerability affects ColdFusion in its default configuration, meaning most instances of ColdFusion will be vulnerable. Initial research indicates that there are likely to be over 20,000 vulnerable hosts directly exposed to the Internet, with 380 of those located in Australia and New Zealand.
CyberCX has confirmed that this affects:
- ColdFusion 2018 HF19 (JEE version)
- ColdFusion 2021 U11 (Windows Installer)
- ColdFusion 2023 U5 (Windows Installer)
All instances were tested with the secure profile active, on a Windows 10 host. Other configurations and versions may also be affected.
As of the 14th of November 2023, Adobe has released a security advisory with updates and technical notes for ColdFusion.
13/09/2023 – Report sent to Adobe Product Security Incident Response Team (PSIRT).
02/11/2023 – Email sent to Adobe requesting update.
03/11/2023 – Response from Adobe stating a fix would be released on the 14th of November and noting CVE-2023-44351 has been assigned.
14/11/2023 – Adobe publicly releases advisory, along with updates and technical notes.
15/11/2023 – Release of this advisory.
CyberCX would like to thank the Adobe Product Security Incident Response Team for working through this disclosure and remediating the vulnerability.